Regulation on the Processing and Protection of Personal Data in Personal Data Databases Owned by the Seller

Contents:

  1. General Concepts and Scope of Application

  2. List of Personal Data Databases

  3. Purpose of Personal Data Processing

  4. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

  5. Location of the Personal Data Database

  6. Conditions for Disclosure of Personal Data to Third Parties

  7. Protection of Personal Data: Protection Methods, Responsible Person, Employees Directly Involved in Processing and/or Having Access to Personal Data in Connection with Their Job Duties, Data Retention Period

  8. Rights of the Data Subject

  9. Procedure for Handling Requests from the Data Subject

  10. State Registration of the Personal Data Database

  11. General Concepts and Scope of Application

1.1. Definitions of Terms:

  • Personal Data Database — a named set of organized personal data in electronic form and/or in the form of card files.

  • Responsible Person — a designated individual responsible for organizing the work related to the protection of personal data during its processing, in accordance with the law.

  • Owner of the Personal Data Database — a natural or legal person authorized by law or with the consent of the data subject to process personal data, who defines the purpose of data processing, the composition of the data, and the procedures for their processing, unless otherwise provided by law.

  • State Register of Personal Data Databases — a unified state information system for collecting, accumulating, and processing information about registered personal data databases.

  • Public Sources of Personal Data — directories, address books, registers, lists, catalogs, and other systematic collections of open information containing personal data published with the knowledge of the data subject. Social networks and online resources where individuals post personal data are not considered public sources, except when explicitly indicated by the data subject that the personal data is posted for free distribution and use.

  • Consent of the Data Subject — any documented, voluntary declaration by a natural person granting permission for the processing of their personal data in accordance with the stated purpose of its processing.

  • Anonymization of Personal Data — the removal of information that allows a person to be identified.

  • Processing of Personal Data — any action or set of actions performed in an information system or in personal data card files related to the collection, registration, accumulation, storage, adaptation, modification, updating, usage, and dissemination (distribution, transfer), anonymization, or destruction of personal data.

  • Personal Data — information or a set of information about a natural person who is identified or can be specifically identified.

  • Personal Data Administrator — a natural or legal person authorized by the owner of the personal data database or by law to process personal data. A person entrusted by the owner and/or administrator of the personal data database to perform technical tasks related to the database without access to the personal data content is not considered an administrator.

  • Data Subject — a natural person whose personal data is processed in accordance with the law.

  • Third Party — any person, other than the data subject, the owner, or the administrator of the personal data database, or an authorized state body on personal data protection, to whom personal data is transferred under the law.

  • Special Categories of Data — personal data related to racial or ethnic origin, political, religious, or philosophical beliefs, membership in political parties and trade unions, as well as data concerning health or sexual life.

1.2. This Regulation is mandatory for application by the responsible person and employees of the seller who directly process and/or have access to personal data in connection with their official duties.

  1. List of Personal Data Databases

2.1. The seller owns the following personal data databases:

  • Personal data database of contractors.
  1. Purpose of Personal Data Processing

3.1. The purpose of processing personal data in the system is to ensure the realization of civil-law relations, provision, receipt, and settlement for goods and services in accordance with the Tax Code of Ukraine, the Law of Ukraine "On Accounting and Financial Reporting in Ukraine."

  1. Procedure for Processing Personal Data: Obtaining Consent, Notification of Rights, and Actions with Personal Data of the Data Subject

4.1. The consent of the data subject must be a voluntary expression of a natural person granting permission for the processing of their personal data in accordance with the stated purpose of its processing.

4.2. The consent of the data subject can be provided in the following forms:

  • A paper document with identifying details that allows identification of both the document and the person.
  • An electronic document with mandatory details for identification of both the document and the person. Consent is recommended to be confirmed by an electronic signature.
  • A mark on an electronic document or file processed in an information system based on documented software-technical solutions.
  1. Location of the Personal Data Database

5.1. The databases of personal data mentioned in Section 2 of this Regulation are located at the seller’s address.

  1. Conditions for Disclosure of Personal Data to Third Parties

6.1. The procedure for access to personal data by third parties is determined by the terms of consent provided by the data subject to the personal data owner or as required by law.

6.2. Access to personal data will not be provided to third parties if they refuse to take on obligations to comply with the requirements of the Law of Ukraine "On Personal Data Protection" or are unable to ensure such compliance.

  1. Protection of Personal Data

7.1. The personal data database owner is equipped with systemic, program-technical means and communication facilities that prevent loss, theft, unauthorized destruction, distortion, falsification, copying of information, and comply with international and national standards.

The remainder of the sections would follow in the same manner, covering the rights of the data subject, the procedure for handling requests, and state registration of the personal data database.
 

7.2. The responsible person is appointed by order and defined in their job description.

7.3. The responsible person must:

  • Know data protection law;

  • Define access procedures;

  • Ensure staff compliance with laws and internal rules;

  • Implement internal control procedures;

  • Report violations within one business day;

  • Store documentation of consent and notifications.

7.4. The responsible person may:

  • Access relevant documents and issue copies;

  • Participate in discussions and propose improvements;

  • Receive clarifications and sign relevant documents.

7.5. Employees with access to personal data must comply with legal and internal requirements.

7.6. Such employees must not disclose personal data obtained through their duties. This obligation continues after termination of employment.

7.7. Violations of the data protection law result in liability under Ukrainian legislation.

7.8. Personal data must not be stored longer than necessary for the stated purpose or beyond consent period.

8. Rights of the Data Subject

8.1. The data subject has the right to:

  • Know the location, purpose, and owner/processor of the database;

  • Know the terms of access and recipients of their data;

  • Access their personal data;

  • Receive a response within 30 calendar days regarding the existence and content of their data;

  • Object to unlawful processing;

  • Request correction or deletion of inaccurate or unlawfully processed data;

  • Protect their data from misuse, delay, or misrepresentation;

  • Appeal to authorities for rights protection;

  • Seek legal remedies for data protection violations.

9. Procedure for Handling Requests

9.1. The data subject may request any personal information about themselves without specifying the purpose, unless restricted by law.

9.2. Access is free of charge.

9.3. The request must include:

  • Full name, address, ID document details;

  • Other identifying information;

  • Database or owner/processor information;

  • List of requested data.

9.4. Review period is up to 10 working days. The data owner must inform the subject whether the request will be granted or denied.

9.5. If not otherwise provided by law, the request is fulfilled within 30 calendar days.

10. State Registration

10.1. State registration of personal data databases is carried out in accordance with Article 9 of the Law of Ukraine "On Personal Data Protection."